Re: security vs. configure

autoconf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security vs. configure

From:	Russ Allbery
Subject:	Re: security vs. configure
Date:	23 Apr 2001 00:03:04 -0700
User-agent:	Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Channel Islands)

Tom Holroyd <address@hidden> writes:

> What do you think?  Is this a configure problem or should it be left to
> "packagers"?  Can configure include tools that make such integrity
> verification easier (and automatic)?  For example, "make dist" or
> whatever could always create a GPG-signed file.

I don't think this is a problem solveable in autoconf.  Software is too
big to audit thoroughly before compiling and running, so I think the only
good solution is to trust the source of the software, which makes GnuPG
signatures of the source probably the best one can do currently.
configure isn't really any different than the makefiles or even the source
code in terms of what has to be trusted.

Adding support to make dist for generating signatures would be an Automake
thing, not an autoconf thing.  That probably isn't a bad idea.

-- 
Russ Allbery (address@hidden)             <http://www.eyrie.org/~eagle/>

[Prev in Thread]

Current Thread

[Next in Thread]

security vs. configure, Tom Holroyd, 2001/04/23
- Re: security vs. configure, Russ Allbery <=
  - Re: security vs. configure, Michael Still, 2001/04/23
    - Re: security vs. configure, Russ Allbery, 2001/04/23
    - Re: security vs. configure, Michael Still, 2001/04/23
    - Re: security vs. configure, Eric Siegerman, 2001/04/23
    - Re: security vs. configure, Lars J. Aas, 2001/04/24
    - Re: security vs. configure, Tom Holroyd, 2001/04/23
    - Re: security vs. configure, Michael Still, 2001/04/23

Prev by Date: security vs. configure
Next by Date: Re: security vs. configure
Previous by thread: security vs. configure
Next by thread: Re: security vs. configure
Index(es):
- Date
- Thread